The horrifying rampage of the botnet attacking Electrum has continued to leave devastation in its wake. Now at 152,000 infected computers, the menace seems to have no end in sight. Not only has the botnet taken thousands of computers captive, but it has also stolen crypto assets amounting to $4.6 million, according to Malwarebytes.
Malwarebytes has stayed very close to the unfolding event, “closely monitoring” the ongoing attack against the Electrum Bitcoin wallet. while describing the genesis of the botnet attack, the company noted that:
“Victims were being tricked to download a fraudulent update that stole their cryptocurrencies.”
In a bid to put an end to the spread the botnet, Electrum developers responded with a countermeasure aimed at protecting their users, sadly that was to no actual benefit as the threat actors upped their game with the launch of Distributed Denial of Service (DDoS) attacks to keep their operation afloat.
The Botnet Continues To Spread
The rate at which the botnet is growing is alarming. The number of infected computers was previously less than 100,000 as of April 24. A day after, the number rose to 152,000 infected computers, according to Malwarebytes.
As if that isn’t enough, there is a second botnet loader which Malwarebytes has revealed its identity to be “Trojan.BeamWinHTTP” that downloads the trojan “transactionservices.exe,” the principal infected file that gives life to the botnet. The first loader is “ElectrumDosMiner.”
The Beginning Of The Attacks
Malwarebytes wrote in a blog post that the attacks could be traced back to 2018, a time the attacks first surfaced on the network, it claims. Ever since then, the attacks have only become more pronounced, especially in 2019.
When the criminals got wind of the attempt by the company’s developers to fix the problem, they retaliated by launching a denial of service attack against Electrum’s servers. The attackers did not stop there; they reversed an initial patch by the company by engineering a means of redirecting users to malware-infested machines.
Electrum is known as a “lightweight” wallet that has a simplified architecture and a client/server configuration. This configuration became a loophole in the hands of the attackers which they did not fail to exploit to compromise the security of the network.
The criminals knew that anyone could easily operate as a public Electrum peer on the network and therefore took advantage of this fact to wreak havoc on Electrum. The attackers then activated a Sybil attack which introduced compromised nodes into the network that has now rendered thousands upon thousands of computers infected.